Welcome. I hope the Keeper has not tried to get in touch with (not so) Smart Parking. If the dates you provided for the alleged contravention and the issue date of the Notice to Keeper (NtK), there can be no Keeper liability because it was not given within the relevant period for them to be able to transfer liability from the unknown driver to the known Keeper.
However, there is a problem in that (not so) Smart hold an invalid address for the Keeper. A data rectification notice needs to be sent to (not so) (Smarts DPO, instructing them to update their record with the Keepers current address for service and to erase the old address. The highlighted words are there for a reason, so use them.
Under no circumstances must the Keeper identify the driver, inadvertently or otherwise. The Keeper only refers to the driver in the third person. There is no legal obligation on the Keeper to identify the driver to an unregulated private parking company.
As it is far too late to try and appeal this, the Keeper is going to have to weather the useless and powerless debt collector letters that will continue for a while. Eventually, a Letter of Claim (LoC) will be sent and you should show that to us when it arrives. We will provide a suitable response.
However, you can and should make a formal complaint to the DVLA as (not so) Smart have breached the PPSCoP section 8.1.1(d) which states:
The parking operator must not serve a notice which in its design and/or language: state the keeper is liable under the Protection of Freedoms Act 2012 where they cannot be held liable.
Because of this, they are in breach of their KADOE contract with the DVLA and are using the Keepers data unlawfully. Here’s how to make a DVLA complaint:
• Go to: https://contact.dvla.gov.uk/complaints
• Select: “Making a complaint or compliment about the Vehicles service you have received”
• Enter your personal details, contact details, and vehicle details
• Use the text box to summarise your complaint or insert a covering note
• You will then be able to upload a file (up to 19.5 MB) — this can be your full complaint or supporting evidence
That’s it.
The DVLA is required to record, investigate and respond to every complaint about a private parking company. If everyone who encounters a breach took the time to submit a complaint, we might finally see the DVLA take meaningful action—whether that means curtailing or removing KADOE access altogether.
For the text part of the complaint the webform could use the following:
I am submitting a formal complaint against Smart Parking Ltd, a BPA AOS member (at the time but now an IPC member) with DVLA KADOE access, for breaching the BPA/IPC Private Parking Single Code of Practice (PPSCoP) after obtaining my personal data.
While the Operator may have had reasonable cause at the time of their KADOE request, their subsequent misuse of my data—through conduct that contravenes the PPSCoP—renders that use unlawful. The PPSCoP forms an integral part of the DVLA’s governance framework for data access by private parking firms. Continued access is conditional on compliance.
The DVLA, as data controller, is obliged under UK GDPR and the Data Protection Act 2018 to investigate and take enforcement action when data is misused following release. This complaint is not about whether the data was obtained lawfully at the outset, but whether its subsequent use breached the terms under which it was provided.
I have prepared a supporting statement setting out the nature of the breach and the Operator’s actions, and I request a full investigation into this matter. I have attached the supporting document.
Please acknowledge receipt and confirm the reference number for this complaint.
Then you could upload the following as a PDF file for the formal complaint itself:
SUPPORTING STATEMENT
Complaint to DVLA – Breach of KADOE Contract and PPSCoP
Operator name: Smart Parking Ltd
Date of PCN issue: 30/01/2025
Vehicle registration: [INSERT VRM]
I am submitting this complaint to report a misuse of my personal data by Smart Parking Ltd, who obtained my keeper details from the DVLA under the KADOE (Keeper At Date Of Event) contract.
Although the parking company may have had reasonable cause to request my data initially, the way they have used that data afterwards amounts to unlawful processing. This is because they have acted in breach of the BPA/IPC Private Parking Single Code of Practice (PPSCoP), which is a mandatory requirement for access to DVLA keeper data. The PPSCoP forms part of the framework that regulates how parking companies must behave once they have received keeper data from the DVLA.
The KADOE contract makes clear that keeper data may only be used to pursue an unpaid parking charge in line with the Code of Practice. If a parking company fails to comply with the PPSCoP after receiving DVLA data, their use of that data becomes unlawful, as they are no longer using it for a permitted purpose.
In this case, Smart Parking Ltd has breached the PPSCoP in the following way:
They issued a Notice to Keeper (NtK) dated 30/01/2025 for an alleged parking event that occurred on 19/01/2025. The operator is attempting to rely on the Protection of Freedoms Act 2012 (PoFA) to transfer liability to the registered keeper. However, in order to do so lawfully, the operator must comply with Schedule 4, Paragraph 9(4) of PoFA, which sets a strict statutory time limit for delivery of the NtK:
“The notice must be given by—
(a) delivering it to that address; or
(b) sending it by post so that it is delivered,
not later than 14 days after the vehicle was parked.”
This means that the NtK must be ‘given’ — i.e., delivered or deemed delivered — by the fourteenth day after the parking event. For a parking event on 19/01/2025, the final day for the NtK to be deemed ‘given’ would be 02/02/2025 (accounting for PoFA's deemed delivery rules: two working days after posting).
However, the NtK in this case was dated 30/01/2025, which was a Thursday. Assuming it was posted on that date, the earliest deemed date of service would be Monday 03/02/2025, as weekends do not count as working days. That is Day 15, and therefore too late for keeper liability to apply under PoFA. No amount of backdating or delay can lawfully change this.
Therefore, Smart Parking could never have achieved compliance with PoFA, and yet they explicitly stated in the NtK that the keeper is liable under PoFA. This is a clear breach of:
• PoFA Schedule 4, Paragraph 9(4)
• Section 8.1.1(d) of the Private Parking Single Code of Practice, which prohibits operators from stating that keeper liability applies when it does not.
This is not a trivial or technical breach. It is a false representation of legal liability, made using personal data obtained from the DVLA, and constitutes unlawful use of that data. The operator is using DVLA data to pursue a legal position they are statutorily barred from relying on.
The DVLA has a duty, as the data controller, to enforce the terms of the KADOE contract and the PPSCoP and to prevent personal data from being misused in this manner. That section states:
The DVLA remains the Data Controller for the data it releases under KADOE, and is therefore responsible for ensuring that personal data is not misused by third parties. This includes taking action against AOS operators who breach the conditions under which the data was provided. I am therefore asking the DVLA to investigate this breach and to take appropriate action under the terms of the KADOE contract.
This may include:
• Confirming that a breach has occurred
• Taking enforcement action against the operator
• Suspending or terminating their KADOE access if warranted
I have attached relevant supporting material with this statement. Please confirm receipt and provide a reference for this complaint. I am also happy to provide further information if required.
Name: [INSERT YOUR NAME]
Date: [INSERT DATE]